4 Important Vendor Risk Management Principles For Security Managers
Melissa Stevens | August 18, 2016
Organizations today aren’t single entities—they are interconnected networks of third parties. And while third party relations are critical for success in most businesses, they also leave data more vulnerable to exposure from bad actors. Because of this, vendor risk management (VRM) is becoming an even more important business practice.
Below, we’ve outlined four critical principles all security managers should keep in mind when it comes to vendor risk management.
The 4 Most Important Vendor Risk Management Principles For Security Managers
1. Know which vendors have your critical data.
Fact: You cannot treat all of your vendors equally. Your organization doesn’t have unlimited resources or the ability to scale infinitely, so you need a solid method for vendor evaluations to follow. The cornerstone of managing third parties is placing as much effort as possible into the vendors that are managing, processing, or storing your most critical data.
First, consider your data criticality: Which vendors are handling the most valuable data in your organization? Second, consider your critical services: Which vendors host a critical service for you that isn’t protected or regulated well? Once you evaluate these questions, you should be able to determine where you want to spend the majority of your time and which vendors to prioritize in terms of vendor risk management.
2. Verify that the security posture of the vendor is equal to or better than your own.
Most organizations begin their vendor evaluation processes by reviewing compliance reports from governing bodies like ISO, NIST, or SOC2. These reports are simple communication vehicles that give you a glimpse at the vendor’s current cybersecurity posture.
The problem is, these reports are often subjective, unverifiable, and unactionable—a triple threat against proper vendor risk management principles. What’s more, the reports are subject to human fallibility, misunderstanding, misinterpretation, and error, and they can eat away at time from both parties involved.
Therefore, many modern organizations are turning to publicly observable metrics, which identify and verify the technical controls a vendor has in place. These metrics are typically mapped to public IP addresses. Signs like poor configurations or a vendor’s public IP address base talking to known malicious sites are indicators that the vendor’s security posture may not be up to par. This is similar to home security: A home with no locks and broken windows is easier to break into than one that is meticulously maintained and updated with the right security tools.
Solutions like BitSight Security Ratings allow first-party organizations to quickly and easily review their vendors without having to request anything from the third party. These solutions take a time-consuming data collection process and make it as easy as logging into a portal and reviewing a security rating.
3. Ensure that you review third party holistically.
When contracting with a new vendor, you want to be sure that you have the business’s best interests in mind—and this means collaborating across departments and internal groups.
You have to keep in mind that information security and data privacy aren’t the only things that a vendor is analyzed on—legal, finance, and human resources are also important areas of supplier onboarding. For example, if a vendor performs poorly in information security but well in all other categories, you may still choose to work with them. Why? Perhaps they don’t house any critical data or perform any critical services, and a partnership would be mutually beneficial. Conversely, a vendor may perform very highly in information security, but legal or finance is unwilling to accept a particular contractual term. In this instance, it’s important for all parties to look at the business as a whole—not just at their individual disciplines—for the betterment of the company.
4. Trust but verify.
This age-old adage still rings true. Vendor risk management is an evaluation of a continual relationship, not an evaluation of a specific point in time. But without the proper tools, there’s no way to know how the posture of a vendor changes after you’ve signed a contract. With continuous risk monitoring solutions like BitSight Security Ratings, you’re able to consistently and regularly see how the vendor’s security posture is changing and help mitigate the risk to your own data and network.
Vendor risk management must be a priority for all security managers. If you don’t do your due diligence on a vendor before signing on the dotted line, you may be setting yourself up for an information security disaster.
Because this process can be both lengthy and intimidating, we’ve created a guide for security managers that covers the following:
Basic questions you need to ask all vendors.
Actionable risk vectors and configurations to keep in mind.
The impact of continuous risk monitoring software.
If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...
If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...
During this dynamic and stressful workplace environment 2020 has brought us, finding the most efficient ways to perform in your job has never been more important. When it comes to managing your vendor lifecycle, there are three ways you...